[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Cannot surf webpages on a higher security interface on a PIX515

Hi all, I have a 515 with 4 interfaces that are relavent.  Inside (100), DMZ (50), bCat (20), outside (0).  The bCat interface is a totally seperate company that is utilizing our firewall.  The company on the bCat interface has their website hosted on the dmz interface.  I cannot get web traffic to the DMZ interface from the bCat interface even though I have the conduit that allows http from any to the hosts in the DMZ.  I think it is something to do with NATing, and it is probably simple, but I am stuck at this point.  I want to enable traffic from the bCat interface (192.168.15.0/24) to the DMZ interface (214.45.93.0/24).  I know that I am bypassing NAT from the internal to bCat b/c I can ping 192.168.15.0 from my internal.  My relevant config is below.  I also want to allow certain traffic from the bCat interface to my backup server on the internal interface.  Your help is greatly appreciated, and my relevant config is below:

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet4 100full
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet4 bCat security20
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname PIX515-PRI
domain-name company-corp.com
fixup protocol dns maximum-length 2000
fixup protocol http 80
object-group network WWW-Servers
  description Web Servers only No Terminal Servers
  network-object host 214.45.101.16
  network-object host 214.45.101.21
  network-object host 214.45.101.23
  network-object host 214.45.101.24
  network-object host 214.45.101.20
  network-object host 214.45.101.10
  network-object host 214.45.101.18
  network-object host 214.45.101.12
  network-object host 214.45.101.15
access-list ping-acl permit icmp any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.12.131.0 255.255.255.0
ip address outside 214.45.100.3 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip address DMZ 214.45.101.1 255.255.255.0
no ip address SQLDMZ
ip address bCat 192.168.15.254 255.255.255.0
global (outside) 1 214.45.100.129-214.45.100.189
global (outside) 1 214.45.100.190
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 214.45.101.0 255.255.255.0 0 0
nat (bCat) 1 0.0.0.0 0.0.0.0 0 0
static (inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
static (inside,bCat) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 214.45.100.4 10.1.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 214.45.100.12 10.1.1.45 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.20 214.45.101.20 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.16 214.45.101.16 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.18 214.45.101.18 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.21 214.45.101.21 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.23 214.45.101.23 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.24 214.45.101.24 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.28 214.45.101.28 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.29 214.45.101.29 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.30 214.45.101.30 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.31 214.45.101.31 netmask 255.255.255.255 0 0
static (DMZ,outside) 214.45.101.15 214.45.101.15 netmask 255.255.255.255 0 0
static (inside,outside) 214.45.101.8 10.1.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 214.45.100.32 10.1.1.7 netmask 255.255.255.255 0 0
static (bCat,outside) 214.45.102.32 192.168.15.220 netmask 255.255.255.255 0 0
static (bCat,outside) 214.45.102.31 192.168.15.36 netmask 255.255.255.255 0 0
conduit permit udp host 214.45.101.4 eq domain any
conduit permit tcp host 10.1.1.25 eq smtp host 214.45.101.4
conduit permit tcp host 10.1.1.13 eq 1433 host 214.45.101.17
conduit permit tcp host 214.45.101.4 eq domain any
conduit permit tcp host 10.1.1.30 eq 6103 214.45.101.0 255.255.255.0
conduit permit tcp host 10.1.1.30 eq 10000 214.45.101.0 255.255.255.0
conduit permit udp host 214.45.101.22 eq snmp host 214.45.100.1
conduit permit udp host 214.45.101.22 eq snmptrap host 214.45.100.1
conduit permit udp host 214.45.101.22 eq syslog host 214.45.100.1
conduit permit udp host 214.45.101.22 eq syslog host 209.108.220.54
conduit permit tcp host 10.1.1.30 range 24001 24100 214.45.101.0 255.255.255.0
conduit permit udp host 10.1.1.30 range 24001 24100 214.45.101.0 255.255.255.0
conduit permit tcp host 214.45.101.8 eq www any
conduit permit tcp host 10.1.1.9 eq sqlnet host 214.45.101.30
conduit permit tcp host 214.45.101.31 eq pop3 any
conduit permit tcp host 214.45.101.31 eq www any
conduit permit tcp host 10.1.1.13 eq 1433 214.45.101.0 255.255.255.0
conduit permit tcp host 10.1.1.9 eq 1433 214.45.101.0 255.255.255.0
conduit permit tcp host 214.45.101.8 eq smtp object-group SMTP-to-Exchange-Server
conduit permit tcp object-group TS-Servers eq 3389 any
conduit permit tcp object-group TS-Servers eq www any
conduit permit tcp object-group WWW-Servers eq www any
conduit permit tcp object-group WWW-Servers eq https any
conduit permit tcp object-group FTP-Servers eq ftp any
conduit permit tcp host 214.45.102.31 eq smtp object-group SMTP-to-Exchange-Server
conduit permit tcp host 214.45.102.31 eq pop3 any
conduit permit tcp host 214.45.102.31 eq 3389 214.45.100.0 255.255.255.0
conduit permit tcp host 214.45.102.31 eq 3389 214.45.101.0 255.255.255.0
conduit permit tcp host 214.45.102.31 eq https any
conduit permit tcp host 214.45.102.31 eq www any
route outside 0.0.0.0 0.0.0.0 214.45.100.1 1
0
adsnetcurve
Asked:
adsnetcurve
  • 2
  • 2
1 Solution
 
grbladesCommented:
> nat (bCat) 1 0.0.0.0 0.0.0.0 0 0
Everything from the bCat interface is being NAT'd. This is why you can only access machines connected via the outside interface.

Try adding :-
nat (bCat) 0 access-list 102
access-list 102 permit ip 192.168.15.0 255.255.255.0 214.45.101.0 255.255.255.0
0
 
lrmooreCommented:
Same principle as grblades - yo!

You have static xlate for dmz-to-outside for the server:
>static (DMZ,outside) 214.45.101.31 214.45.101.31 netmask 255.255.255.255

Create a new like static for dmz-to-bCat for the servers they want to get to.
  static (DMZ,bCat) 214.45.101.31 214.45.101.31 netmask 255.255.255.255
0
 
adsnetcurveAuthor Commented:
I ended up dong it as lrmoore suggested, but I believe either would work so I awarded to grblades since he posted first.  I'm sure I'll have more though.  thanks for both of your help.  Just out of curiosity,what is the difference between the two ways of doing it?  Is one considered the "degradated method"?
0
 
grbladesCommented:
The 'NAT 0' rule basically defines a rule where NAT should not be performed.
The 'Static' command basically defines a manual NAT translation where nothing is actually translated.

It does not really matter which one you use. Personally I prefer to use the 'nat 0' method as it appears cleaner to me (keeps the outgoing NAT configuration separate) but it is really just personal preference.
0
 
lrmooreCommented:
The access-list with nat "zero" is most typically used with VPN's, and I like to use the static between dmz interfaces. With a static, it doesn't matter which side initiates the traffic. With an acl, the traffic is asymetrical, meaning it must originate on the bcat interface, but it does not create the xlate for the server to the bcat itnerface which must exist somewhere.

Glad you got it working!
If you want, we can un-accept this question and then you can split the points between us..
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now